ࡱ;   !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry  !r\V)䰱 PresentationStarImpress 5.01QSSfxDocumentInfo  T1D X1ص T1̱ Info 0 Info 1 Info 2 Info 3 T1pKhu< TASK,0,1,H 1,0,100,1,Oh+'0 h t 148@Rߙ@/W̠@;Q]@d #XOutdevItemPool 1   )     &'()*+,-./06789:;UVWXYZ[\]c !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstt      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefd0~+'@qXX',@X':@2XXXX&' @X'@Arrow ArrowddXXXS'c@4ArrowddXX'.@j,XXX'"@,XX'@XX'@X@X@'X@EX@cX@X@X@X'@XX'b@I̙XX X2XD'6@22ddX'(@X'"@BMvv(@@SD@x^SI 0 s\ z 46ZBn8x)1̔.<觔B+̄ ޢ40:prf |q]~+H~|WFMbP@aoCē[ȡz6~U{߃HH*@g*@''g* @''+'+'' g* @'A'1'+''!'''''''''%' ' g* @''' g*@''' g* @'A'1'+''!''' ''''''%'!''''g*@''XX,XJXPXVX\XbXnXXXXX"XFXXff@ JJKKMMNNOOPPQQUUVV JJKKMMNNOOPPQQUUVV JJKKMMNNOOPPQQUUVV JJKKMMNNOOPPQQUUVV JJKKMMNNOOPPQQUUVV JJKKMMNNOOPPQQUUVV JJKKMMNNOOPPQQUUVVQQVV IIQQVV  JJKKMMNNOOPPQQUUVV  JJKKMMNNOOPPQQUUVV JJ  JJKKMMNNOOPPQQUUVVJJKK JJKKXXJXXXXX@X|XXXXXZXfXX @+8p5c&DbZ;]?^|2Rq # 9 O e {  + A W   ' E c  y  A o BXn4J`v&<Rh~<( P1TEditEngineItemPool 6fTO0lg*W:@(X Z,StarBats 8,StarBats dg ,StarBats d],StarBats dS3Times New RomandS3Times New RomandS3Times New RomandS3Times New RomandS3Times New RomandS3Times New RomandZ "X,StarBatsN -",StarBatsN -",StarBatsN -"` ` ,StarBatsN -" ,StarBatsN -",StarBatsN -"hh,StarBatsN -",StarBatsN -",StarBatsN -"pp,StarBatsN - ",StarBatsN -",StarBatsN -",StarBatsN -"` ` ,StarBatsN -" ,StarBatsN -",StarBatsN -"hh,StarBatsN -",StarBatsN -",StarBatsN -"pp,StarBatsN - ZH,StarBats d,StarBats dg ,StarBats d],StarBats dS3Times New RomandS3Times New Roman,,dS3Times New RomandS3Times New RomandS3Times New Roman dZ Z,StarBats d,StarBats ,g ,StarBats d],StarBats dS3Times New RomandS3Times New RomandS3Times New RomandS3Times New RomandS3Times New RomandS3Times New RomandZ Z,StarBats d,StarBats dg ,StarBats d],StarBats dS3Times New RomandS3Times New RomandddS3Times New RomandddS3Times New RomandddS3Times New RomandddS3Times New RomandddZ Z,StarBats d,StarBats dg ,StarBats d],StarBats dS3Times New RomandS3Times New Roman dS3Times New RomandS3Times New RomandS3Times New Roman dS3Times New Roman dZZr,StarBats -Z Z"d,StarBats -"},StarBats -V ,StarBats K",StarBats -,StarBats K"d,StarBats -"d,StarBats dd-"d,StarBats dd-"d,StarBats dd-"d,StarBats dd-Z Zr,StarBats *Z  Z d},starbats KV ,starbats K,starbats K,starbats Kd,starbats Kd,starbats ddKd,starbats ddKd,starbats ddKd,starbats ddKZ  Z d},starbats KV ,starbats K,starbats K,starbats Kd,starbats Kd,starbats ddKd,starbats ddKd,starbats ddKd,starbats ddKZ a Z d},starbats KV ,starbats K,starbats K,starbats Kd,starbats Kd,starbats ddKd,starbats ddKd,starbats ddKd,starbats ddKZ  Z d},starbats KV ,starbats K,starbats K,starbats Kd,starbats Kd,starbats ddKd,starbats ddKd,starbats ddKd,starbats ddKZ Z d},starbats KV ,starbats K,starbats K,starbats Kd,starbats Kd,starbats ddKd,starbats ddKd,starbats ddKd,starbats ddKZ Z d},StarBats KV ,StarBats K,StarBats K,StarBats Kd,StarBats Kd,StarBats ddKd,StarBats ddKd,StarBats ddKd,StarBats ddKZXXXXxX XuXX XSXX!X"Xu&Xc*XQ.X?2X-6 @~X@X!`XX#@ZdddxFdddxdddxYMFdddddDd dddY ddd YDdddYDdddYDdddYD8ddd8YDXdddXYDxdddxYD!ddd!YDXX!X4XMX`XsXXXXXX X"X;<( n@ Z$o+  XXXX X&X,X2X8X>XD ((@^ StarBats!"-; starbats!K StarBats!r- StarBats!d StarBats!"- StarBats!K StarBatsS!"- StarBatsN!Kdd StarBatsS!"-  StarBats!8  StarBatsX!,  StarBats!r*  starbats!K  StarBats!K StarBats!K  starbats!K starbats!KXXGXXXX+XdXXXXHXXXX,XeX@'-@|`dddddXdddddddY#dd}dM#dd}d<dddV dddY} V dddV Y dddV dddV dddddd dddddddddddYdddYdddddYNdddXX!X4XGX`XsXXXXXXXXX*X=XVXoXA'@ badddddddddd dd d#d dd dXd  ddddddXXX&X2X>XJXVXbXnXzX1'@a*dX+'2@aXXXX '@f . . . . . . . ". '. ,. 1. 6. ;. ~@. tE. jJ. `O. VT. LY. B^. 8c. O. E. ; . 1. '. . . #. '. ,. 1. 6. ;. @. E. J. O. T. Y. ^. . . . w. m. c. Y. O#. E(. ;-. 12. '7. <. A. F. J. O. T. Y. ^. . . . . . . . #. (. -. x2. n7. d<. ZA. PF. FK. ArialXXX8XHXXXj'@ShOd Nd 4d d d {d /d d Zhd 7d d Bid d  d d d XXX"X,X6X@XJXTX^XhXrX|XXXX?( @h'@h5XX'@h5X'@ i#X'@/i(XX'@RiX'@qi5X%' @i#d:eXXS' @i"' @i' @i@iX @j* @-j{(@ l&p p5mailto:jtk@depaul.edujtk@depaul.eduW!X!pGhttp://networks.depaul.edu/http://networks.depaul.eduW!X! p;http://www.snort.org/http://www.snort.orgW!X! p=http://www.usenix.org/http://www.usenix.orgW!X! pT!http://www.research.att.com/~smb/!http://www.research.att.com/~smb/W!X! pEmailto:ids-request@uow.edu.auids-request@uow.edu.auW!X! pKhttp://www.cerias.purdue.edu/http://www.cerias.purdue.eduW!X!p9http://www.cert.org/http://www.cert.orgW!X!XXXYXXX9XXX>q:::E<<@BCCCH IIJJJJK@K_K~KKKKK L L6LPqg* "XX,StarBatsN -",StarBatsN -",StarBatsN -"` ` ,StarBatsN -" ,StarBatsN -",StarBatsN -"hh,StarBatsN -",StarBatsN -",StarBatsN -"pp,StarBatsN - ( StarBats!"-!''Times'Od 08s2 +VStandardStandard%'''''''''''''''+;(,,--..g* (@'A'1'+''!'''''''''%'Object with arrowStandardObject with arrow'''''''Object with shadowStandardObject with shadow+;(,,--..Object without fillStandardObject without fill'TextStandardText'' Text bodyStandard Text body'''Text body justfiedStandardText body justfied''+'First line indentStandardFirst line indent''g*@'TitleStandardTitle'''Title1StandardTitle1 '''+;(,,--..+''Title2StandardTitle2 ''+;(,,--..g*@'A'+''HeadingStandardHeading''A''Heading1StandardHeading1''A'''Heading2StandardHeading2''A''''Dimension LineStandardDimension Line'''''''Home~LT~Gliederung 1Home~LT~Gliederung 1''g*@' A'1'+''!''' ''''''%'Home~LT~Gliederung 2Home~LT~Gliederung 1Home~LT~Gliederung 2@'A' 1'+''!''' '''''%'Home~LT~Gliederung 3Home~LT~Gliederung 2Home~LT~Gliederung 3@'A' 1'+''!''''''''%'Home~LT~Gliederung 4Home~LT~Gliederung 3Home~LT~Gliederung 4@'A' 1'+''!''''''''%'Home~LT~Gliederung 5Home~LT~Gliederung 4Home~LT~Gliederung 5@'A' 1'+''!''''''''%'Home~LT~Gliederung 6Home~LT~Gliederung 5Home~LT~Gliederung 6@'A' 1'+''!''''''''%'Home~LT~Gliederung 7Home~LT~Gliederung 6Home~LT~Gliederung 7@'A' 1'+''!''''''''%'Home~LT~Gliederung 8Home~LT~Gliederung 7Home~LT~Gliederung 8@'A' 1'+''!''''''''%'Home~LT~Gliederung 9Home~LT~Gliederung 8Home~LT~Gliederung 9@'A' 1'+''!''''''''%' Home~LT~Titel Home~LT~Titel''QQg*@'A'1'+''!''' ''''''%'Home~LT~UntertitelHome~LT~Untertitel''QQg*@'A' 1'+''!''' ''''''%'Home~LT~NotizenHome~LT~Notizen''g*@'A'1'+''!'''''''''%'Home~LT~HintergrundobjekteHome~LT~Hintergrundobjekte+;(,,--..Home~LT~HintergrundHome~LT~Hintergrund4'''''''''          +;(,,--..//00112233445566TitleTitle@SubtitleSubtitle@Background objectsBackground objects@ Background Background@NotesNotes@ Outline 1 Outline 1@ Outline 2 Outline 1 Outline 2@ Outline 3 Outline 2 Outline 3@ Outline 4 Outline 3 Outline 4@ Outline 5 Outline 4 Outline 5@ Outline 6 Outline 5 Outline 6@ Outline 7 Outline 6 Outline 7@ Outline 8 Outline 7 Outline 8@ Outline 9 Outline 8 Outline 9@(\P\D\ f p  v * 62^CvDrMdJoeMn0T1|IX1صX1FODrLy LAYER_LAYOUTDrLy LAYER_BCKGRNDDrLy LAYER_BACKGRNDOBJDrLyLAYER_CONTROLSDrLy!LAYER_MEASURELINESDrMP'JoeMTlDrML DrOb<SVDr&i%(DrOb<SVDr&A.K(DrOb<SVDr&iC%YDrOb<SVDr&A.CKYDrXXgg fHome~LT~GliederungDrMPJoeMVmRDrML DrObSVDr&VmR'Home~LT~HintergrundVmRDrObSVDr&p `KL!PStandardp `KL!PxV4B1pIDS Colloquium 2001Standardg*<( ( @'A'DrObSVDr&&`KEPStandard&`KEPxV4B1!John Kristoff - DePaul UniversityStandardg*<( (@'A'+'!!!DrObSVDr&aL`K#`PStandardaL`K#`PxV4B1lStandardg*<( (@'A'+'DrObSVDr&_es! Home~LT~Titel_espxV4B1[#Click to edit the title text format Home~LT~Titel<( (@'DrObQSVDr&_exJ(Home~LT~Gliederung 1_exJ xV4B1 %Click to edit the outline text formatHome~LT~Gliederung 1<( (@' Second Outline LevelHome~LT~Gliederung 2<( (@' Third Outline LevelHome~LT~Gliederung 3<( (@'Fourth Outline LevelHome~LT~Gliederung 4<( (@'Fifth Outline LevelHome~LT~Gliederung 5<( (@'Sixth Outline LevelHome~LT~Gliederung 6<( (@'Seventh Outline LevelHome~LT~Gliederung 7<( (@'Eighth Outline LevelHome~LT~Gliederung 8<( (@'Ninth Outline LevelHome~LT~Gliederung 9<(  ( DrXXHomegg ^Home~LT~GliederungDrMP]JoeMTlDrML DrObuSVDr&TlStandardTlDrObuSVDr&Tl StandardTlDrObuSVDr&Tl StandardTlDrObSVDr&5 B"0! Home~LT~Titel5 B"0dxV4B1OClick to move the slide Home~LT~Titel<( (@'DrObSVDr& 3CG]# Home~LT~Notizen 3CG]mxV4B1XClick to edit the notes formatHome~LT~Notizen<( (@'DrXXHomegg VHome~LT~GliederungDrPgcJoeMTlDrML8DrMD,DrXXgg FHome~LT~GliederungDrPgJoeMVmRDrML8DrMD,DrOb2SVDr&_et! Home~LT~Titel_etxV4B1!Intrusion Detection Systems (IDS) Home~LT~Titelg* <( ( @'+'!!!!!!!DrObSVDr&_exJ Standard_exJxV4B1l John KristoffStandardg*<( ( @'1'+'   Standardg*<( ( @'1'+' Standardg*<( ( @'1'+' +1 312 362-5878Standardg*<( ( @'1'+' DePaul UniversityStandardg*<( ( @'1'+' Chicago, IL 60604Standardg*<( ( @'1'+' DrXXgg NHome~LT~GliederungDrPgJoeMTlDrMLdDrMD,DrMD,DrOb<SVDr&5 B0DrObSVDr& 3CG]#Home~LT~Notizen 3CG]axV4B1LClick to add notesHome~LT~Notizen<( (@'DrXXDrObuSVDr&TlStandardTlgg NHome~LT~GliederungDrPgiJoeMVmRDrML8DrMD,DrObSVDr&_et! Home~LT~Titel_etxV4B1rWhy IDS? Home~LT~Titelg* <( ( @'+'DrObSVDr&_eyJ( Home~LT~Gliederung 1!_eyJxV4B1$Interesting, but immature technologyHome~LT~Gliederung 1g* <( (@'$$!Provides lots of data/informationHome~LT~Gliederung 1g* <( (@'!!/Generally doesn't interfere with communicationsHome~LT~Gliederung 1g* <( (@'//"Anything that improves security...Home~LT~Gliederung 1g* <( (@'""DrXXgg NHome~LT~GliederungDrPgoJoeMTlDrML8DrMD,DrOb<SVDr&5 B0DrObSVDr& 3CG]# Home~LT~Notizen 3CG]axV4B1LClick to add notesHome~LT~Notizen<( (@'DrXXDrObuSVDr&TlStandardTlgg JHome~LT~GliederungDrPg_JoeMVmRDrML8DrMD,DrObSVDr&_et! Home~LT~Titel_etxV4B1v What is IDS? Home~LT~Titelg* <( ( @'+'    DrObqSVDr&_eoK( Home~LT~Gliederung 1_eoKxV4B12Ideally, immediately identifies successful attacksHome~LT~Gliederung 1g* <( (@'2 2+Should have a immediate notification systemHome~LT~Gliederung 1g* <( (@'+ +'Out-of-band from the attack if possibleHome~LT~Gliederung 2g* <( ( @'' '-Probably can also monitor attack attempts tooHome~LT~Gliederung 1g* <( (@'   - -!)WMight have attack diagnosis, recommendation and/or automated attack mitigation responseHome~LT~Gliederung 1g* <( (@'W W Lofty goals:Home~LT~Gliederung 1g* <( (@'  0% false positive rateHome~LT~Gliederung 2g* <( ( @' 0% false negative rateHome~LT~Gliederung 2g* <( ( @' DrXXgg RHome~LT~GliederungDrPgoJoeMTlDrML8DrMD,DrOb<SVDr&5 B0DrObSVDr& 3CG]# Home~LT~Notizen 3CG]axV4B1LClick to add notesHome~LT~Notizen<( (@'DrXXDrObuSVDr&TlStandardTlgg JHome~LT~GliederungDrPgFJoeMVmRDrML8DrMD,DrObSVDr&_et! Home~LT~Titel_etxV4B1xPrivacy issues Home~LT~Titelg* <( ( @'+'DrObSVDr&_eyJ( Home~LT~Gliederung 1z_eyJ[xV4B18Does an IDS violate privacy?Home~LT~Gliederung 1g* <( (@''Are packet headers (protocols) private?Home~LT~Gliederung 2g* <( ( @'''Is identification (an address) private?Home~LT~Gliederung 2g* <( ( @''&Are packet contents private (payload)?Home~LT~Gliederung 2g* <( ( @'&,Are communications (flows/sessions) private?Home~LT~Gliederung 2g* <( ( @',Where is the IDS?Home~LT~Gliederung 1g* <( (@'Who manages the IDS?Home~LT~Gliederung 1g* <( (@'(How is the IDS data handled and managed?Home~LT~Gliederung 1g* <( (@'(DrXXgg RHome~LT~GliederungDrPgoJoeMTlDrML8DrMD,DrOb<SVDr&5 B0DrObSVDr& 3CG]# Home~LT~Notizen 3CG]axV4B1LClick to add notesHome~LT~Notizen<( (@'DrXXDrObuSVDr&TlStandardTlgg JHome~LT~GliederungDrPgJoeMVmRDrML8DrMD,DrObSVDr&_et! Home~LT~Titel_etxV4B1 Storage, mining and presentation Home~LT~Titelg* <( ( @'+'    DrObSVDr&_eyJ( Home~LT~Gliederung 10_eyJxV4B1$IDSs can collect LOTS of informationHome~LT~Gliederung 1g* <( (@'$What is useful data?Home~LT~Gliederung 1g* <( (@'What are you looking for?Home~LT~Gliederung 1g* <( (@'+Data correlation within/outside of the IDS?Home~LT~Gliederung 1g* <( (@'+What does the admin see?Home~LT~Gliederung 1g* <( (@'(Where and for how long do you keep data?Home~LT~Gliederung 1g* <( (@'(%How do you secure access to IDS data?Home~LT~Gliederung 1g* <( (@'%DrXXgg NHome~LT~GliederungDrPgoJoeMTlDrML8DrMD,DrOb<SVDr&5 B0 DrObSVDr& 3CG]# Home~LT~Notizen 3CG]axV4B1LClick to add notesHome~LT~Notizen<( (@'DrXXDrObuSVDr&TlStandardTlgg JHome~LT~GliederungDrPg+JoeMVmRDrML8DrMD,DrObSVDr&_et! Home~LT~Titel_etxV4B1rHost IDS Home~LT~Titelg* <( ( @'+'DrObSVDr&_eyJ(Home~LT~Gliederung 1e_eyJFxV4B1#!An integral part of an end-systemHome~LT~Gliederung 1g*<( (@'!System log monitorHome~LT~Gliederung 2g*<( ( @'Kernel level packet monitorHome~LT~Gliederung 2g*<( ( @'Application specificHome~LT~Gliederung 2g*<( ( @'!A very good place to put securityHome~LT~Gliederung 1g*<( (@'!Distributed management issuesHome~LT~Gliederung 1g*<( (@''Not all end systems will support an IDSHome~LT~Gliederung 1g*<( (@''-Will be as useful as the end user is cluefullHome~LT~Gliederung 1g*<( (@'-DrXXgg VHome~LT~GliederungDrPgoJoeMTlDrML8DrMD,DrOb<SVDr&5 B0 DrObSVDr& 3CG]# Home~LT~Notizen 3CG]axV4B1LClick to add notesHome~LT~Notizen<( (@'DrXXDrObuSVDr&TlStandardTlgg JHome~LT~GliederungDrPg<JoeMVmRDrML8DrMD,DrObSVDr&_et! Home~LT~Titel_etxV4B1u Network IDS Home~LT~Titelg* <( ( @'+'    DrObSVDr&_eyJ(Home~LT~Gliederung 1s_eyJTxV4B13&An add-on to the communications systemHome~LT~Gliederung 1g*<( (@'&+Generally passive and invisible to the endsHome~LT~Gliederung 1g*<( (@'++May see things a host IDS cannot easily seeHome~LT~Gliederung 1g*<( (@'+/Fragmentation, other host attacks (correlation)Home~LT~Gliederung 2g*<( ( @'/"May not understand network trafficHome~LT~Gliederung 1g*<( (@'"*Unknown protocols/applications, encryptionHome~LT~Gliederung 2g*<( ( @'*-May miss things that don't cross its boundaryHome~LT~Gliederung 1g*<( (@'-DrXXgg VHome~LT~GliederungDrPgoJoeMTlDrML8DrMD,DrOb<SVDr&5 B0 DrObSVDr& 3CG]# Home~LT~Notizen 3CG]axV4B1LClick to add notesHome~LT~Notizen<( (@'DrXXDrObuSVDr&TlStandardTlgg JHome~LT~GliederungDrPgVJoeMVmRDrML8DrMD,DrOb SVDr&_et! Home~LT~Titel_etxV4B1{Anomaly detection Home~LT~Titelg* <( ( @'+'DrObSVDr&_eyJ( Home~LT~Gliederung 1_eyJhxV4B1G!A form of artificial intelligenceHome~LT~Gliederung 1g*<( (@'!)Learn what is normal for a network/systemHome~LT~Gliederung 1g*<( (@'))If an event is not normal, generate alertHome~LT~Gliederung 1g*<( (@')%May catch new attacks not seen beforeHome~LT~Gliederung 1g*<( (@'%(For a simple, but effective example see:Home~LT~Gliederung 1g*<( (@'(JDetecting Backdoors, Y. Zhang and V. Paxson, 9th USENIX Security SymposiumHome~LT~Gliederung 2g*<( ( @'JJ.0An area of active researchHome~LT~Gliederung 1g*<( (@'DrXXgg RHome~LT~GliederungDrPgoJoeMTlDrML8DrMD,DrOb<SVDr&5 B0DrObSVDr& 3CG]# Home~LT~Notizen 3CG]axV4B1LClick to add notesHome~LT~Notizen<( (@'DrXXDrObuSVDr&TlStandardTlgg JHome~LT~GliederungDrPgJoeMVmRDrML8DrMD,DrOb SVDr&_et! Home~LT~Titel_etxV4B1|Signature matching Home~LT~Titelg* <( ( @'+'DrObSVDr&_eyJ(Home~LT~Gliederung 1_eyJxV4B1x.Know what an attack looks like and look for itHome~LT~Gliederung 1g*<( (@'.Very easy to implementHome~LT~Gliederung 1g*<( (@'Low false positive rateHome~LT~Gliederung 1g*<( (@'"Most current IDSs are of this typeHome~LT~Gliederung 1g*<( (@'" Easy to foolHome~LT~Gliederung 1g*<( (@' *Signatures must be added/updated regularlyHome~LT~Gliederung 1g*<( (@'*DrXXgg VHome~LT~GliederungDrPgoJoeMTlDrML8DrMD,DrOb<SVDr&5 B0DrObSVDr& 3CG]# Home~LT~Notizen 3CG]axV4B1LClick to add notesHome~LT~Notizen<( (@'DrXXDrObuSVDr&TlStandardTlgg JHome~LT~GliederungDrPgQJoeMVmRDrML8DrMD,DrObSVDr&_et! Home~LT~Titel_etxV4B1s Honeypots Home~LT~Titelg* <( ( @'+'    DrObSVDr&`e H( Home~LT~Gliederung 1`e HkxV4B1JA system that welcomes attacksHome~LT~Gliederung 1g*<( ( @'%Unbeknownst to the attacker generallyHome~LT~Gliederung 2g*<( (@'%%$The system is very closely monitoredHome~LT~Gliederung 1g*<( ( @'$$*Can be used to test new technology/systemsHome~LT~Gliederung 1g*<( ( @'**Generally educational in natureHome~LT~Gliederung 1g*<( ( @'-Helpful as trend monitor for that system typeHome~LT~Gliederung 1g*<( ( @'--,Be careful honeypot doesn't become liabilityHome~LT~Gliederung 1g*<( ( @',,DrXXgg NHome~LT~GliederungDrPgoJoeMTlDrML8DrMD,DrOb<SVDr&5 B0DrObSVDr& 3CG]# Home~LT~Notizen 3CG]axV4B1LClick to add notesHome~LT~Notizen<( (@'DrXXDrObuSVDr&TlStandardTlgg JHome~LT~GliederungDrPggJoeMVmRDrML8DrMD,DrObSVDr&_et! Home~LT~Titel_etxV4B1Possible IDS failure modes Home~LT~Titelg* <( ( @'+'DrObSVDr&_eJ(Home~LT~Gliederung 1_eJpxV4B1M$Fragmentation, state and high-speedsHome~LT~Gliederung 1g*<( ( @'$$*Requires lots of CPU, memory and bandwidthHome~LT~Gliederung 2g*<( (@'**'Inability to decode message/transactionHome~LT~Gliederung 1g*<( ( @'''t^Hrr^Hm56^H^H //^H -u^HrfHome~LT~Gliederung 2g*<( (@'Background noiseHome~LT~Gliederung 1g*<( ( @'Tunnelling/encryptionHome~LT~Gliederung 1g*<( ( @'IDS path evasionHome~LT~Gliederung 1g*<( ( @'Stupid user tricksHome~LT~Gliederung 1g*<( ( @'DrXXgg NHome~LT~GliederungDrPgoJoeMTlDrML8DrMD,DrOb<SVDr&5 B0DrObSVDr& 3CG]# Home~LT~Notizen 3CG]axV4B1LClick to add notesHome~LT~Notizen<( (@'DrXXDrObuSVDr&TlStandardTlgg JHome~LT~GliederungDrPg>JoeMVmRDrML8DrMD,DrObSVDr&_et! Home~LT~Titel_etxV4B1The poor man's Network IDS Home~LT~Titelg* <( ( @'+'DrObBSVDr&_eyJ(Home~LT~Gliederung 1_eyJxV4B1#Setup a router subnet and unix hostHome~LT~Gliederung 1g* <( (@' ##Block all outgoing/incoming packetsHome~LT~Gliederung 1g* <( (@' ##access-list 100 deny ip any any logHome~LT~Gliederung 2g* <( (@' #(Log packets (filter matches) with syslogHome~LT~Gliederung 1g* <( (@' (.Use perl/grep/uniq/... to build simple reportsHome~LT~Gliederung 1g* <( (@' .Total violations: 468Home~LT~Gliederung 2g* <( (@' Top source host:badguy.orgHome~LT~Gliederung 2g* <( (@' Top dest. TCP port:21 (ftp)Home~LT~Gliederung 2g* <( (@' DrXXgg RHome~LT~GliederungDrPgoJoeMTlDrML8DrMD,DrOb<SVDr&5 B0DrObSVDr& 3CG]# Home~LT~Notizen 3CG]axV4B1LClick to add notesHome~LT~Notizen<( (@'DrXXDrObuSVDr&TlStandardTlgg JHome~LT~GliederungDrPguJoeMVmRDrML8DrMD,DrObSVDr&_et! Home~LT~Titel_etxV4B1uThe poor man's host IDS Home~LT~Titel<( (@''DrObSVDr&_eyJ(Home~LT~Gliederung 1&_eyJxV4B1Use snort () or...Home~LT~Gliederung 1g* <( (@'  (Turn on all logging and do log reportingHome~LT~Gliederung 1g* <( (@' ( Install fake service and monitorHome~LT~Gliederung 1g* <( (@'  #tcp_wrappers, back officer friendlyHome~LT~Gliederung 2g* <( (@' #.Use diff (or equivalent), monitor file changesHome~LT~Gliederung 1g* <( (@' .%Keep copies of data/configs elsewhereHome~LT~Gliederung 2g* <( (@' %Use Tripwire or equivalentHome~LT~Gliederung 1g* <( (@' DrXXgg RHome~LT~GliederungDrPgoJoeMTlDrML8DrMD,DrOb<SVDr&5 B0DrObSVDr& 3CG]# Home~LT~Notizen 3CG]axV4B1LClick to add notesHome~LT~Notizen<( (@'DrXXDrObuSVDr&TlStandardTlgg JHome~LT~GliederungDrPg.JoeMVmRDrML8DrMD,DrObSVDr&_et! Home~LT~Titel_etxV4B1l References Home~LT~Titelg* <( ( @'+'   DrObJSVDr&_eK(Home~LT~Gliederung 1_eKxV4B1HNetwork Intrusion Detection, An Analyst's Handbook, by Stephen NorthcuttHome~LT~Gliederung 1g* <( (@'H2Home~LT~Gliederung 1g* <( (@' Home~LT~Gliederung 1g* <( (@'  in body put "help"Home~LT~Gliederung 1g* <( (@' Home~LT~Gliederung 1g* <( (@' Home~LT~Gliederung 1g* <( (@'Home~LT~Gliederung 1g* <( (@'DrXXgg RHome~LT~GliederungDrPgoJoeMTlDrML8DrMD,DrOb<SVDr&5 B0DrObSVDr& 3CG]# Home~LT~Notizen 3CG]axV4B1LClick to add notesHome~LT~Notizen<( (@'DrXXDrObuSVDr&TlStandardTlgg JHome~LT~GliederungDrXXFGeneric PrinterSGENPRT PostScriptH`Tl`Tld,,lprdefault_queueSGENPRT DrVwP SVDr SVDr:SVDr{{SVDrALayout:SVDr{{SVDr#SVDr SVDr# SVDr0 SVDr1 SVDr3 SVDr4SVDr@SVDr SVDrD SVDrP SVDrQ DrHL DrHL DrHL 1QS Root Entry!r\V)䰱CompObjEOle persist elements"SfxDocumentInfo uSfxWindowsSfxStyleSheetsSummaryInformation((StarDrawDocument3$I